Forum Discussion

jhipes's avatar
10 months ago

Pulling all certificates from internal CA

I am just asking the general question to see if anyone has accomplished this before I recreate the wheel for our environment. Let me start out with my scripting knowledge is very basic. So what i am trying to accomplish is to pull all certificates signed by our internal CA, that would be pull every day in case new ones are added. The certificates that are about to expire with 30 days, 2 weeks, 1 week would send out alerts to the corresponding escalation chain (once i find out who owns the certificate). Eventually we would have service now create a ticket for the expiring certificate and route to the correct team. The biggest issue is i have no idea what all certificates we have or where they live.

I know you can use certutil to grab this data from our internal CA but just wanted to see if any one has already accomplished this or maybe someone figured out an easier way. I havent found anything in the community pointing towards what I'm trying to do, Sorry in advance if i completely missed it or did not understand because of my lack of knowledge.

  • Hi! When something like this comes up, the first thing I would do is to check that there isn’t already coverage for the kinds of issues that this monitoring would cover. I looked at your participation in the forum and it looks like you already asked about local certificate stores and it appeared that you had some luck there. It sounds like the coverage that might give you, even when pointed at the servers running the certificate authority, is not what you’re looking for. I had a chat with a colleague who works with Windows Certificate Authorities. He pointed out that the historical way we’ve monitored certs is through the endpoints they are associated with, and not through the authority itself. This may have been intentional,  as a way to make sure that that the information is actionable, but it does sound that this might leave some certificates unaccounted for. So, my first step, after checking out the exchange, would be open a support ticket asking about this. They can refer this to LM’s Monitoring Engineering team, who will then put it in their pipeline to decide if/how/when they are going to cover this. 

    If that’s too slow for you, or you don’t like their answer, the LM envision platform is quite customizable, so you have plenty of options. Because you’ve stated that you want a list of the certs and you want them to be regularly evaluated for validity and lifespan, what you need is a multi-instance datasource with active discovery. The first portion of it will be discovery, which will be how an instance list is built. This will be a certifcate’s name and identifying information. The second part will be a method of regularly polling the CA servers about the various instances and evaluating what you want evaluated. It’s possible that other LogicModules would be helpful, but this should get you most of the way there.

    To actually do this you’ll need to figure out how the CA Servers expose this information. This usually takes a little research. Because you are not an enthusiastic scripter, I would start with something more simple. Probably the easiest thing would be if your windows server exposed information about its certificate store as a WMI class. A quick search through Microsoft’s online documentation shows me this class, which at least sounds promising.
     https://learn.microsoft.com/en-us/mem/configmgr/develop/reference/osd/sms_certificate-server-wmi-class 
    If this class provides a list and key information about the certificates you’re interested in, then a Datasource with both WMI Active discovery with the proper filtering and WMI Data Collection would probably be able to do it. A classic example where you can see this working is the WinVolumeUsage- datasource, available on every account. One thing not demonstrated by this is the date handling and math, which would most likely be done using a complex datapoint with thresholds and and appropriate alert message. The remainder of your solution would be alert rules and escalation chains designed to get the alert notifications to the right people. Both of those are granular and flexible enough to allow for different instances (certificates) to have different sets of recipients. 
    If the WMI class doesn’t give you what you want, you can always script it. It’s possible to use groovy or the “upload script” collection method to run an external program, but note that the program will be run on the collector and not the CA, unless they are the same machine. On the other hand, many DataSources use Powershell to access Windows entities. There’s an example “Microsoft_Windows_Cluster_ResourceGroups” which includes both discovery and data collection. This article https://learn.microsoft.com/en-us/archive/blogs/scotts-it-blog/working-with-certificates-in-powershell might be helpful, but the scripts would need to remote-exec to the CA machine from the collector and output the data in the proper formats for interpretation. 

1 Reply

  • Hi! When something like this comes up, the first thing I would do is to check that there isn’t already coverage for the kinds of issues that this monitoring would cover. I looked at your participation in the forum and it looks like you already asked about local certificate stores and it appeared that you had some luck there. It sounds like the coverage that might give you, even when pointed at the servers running the certificate authority, is not what you’re looking for. I had a chat with a colleague who works with Windows Certificate Authorities. He pointed out that the historical way we’ve monitored certs is through the endpoints they are associated with, and not through the authority itself. This may have been intentional,  as a way to make sure that that the information is actionable, but it does sound that this might leave some certificates unaccounted for. So, my first step, after checking out the exchange, would be open a support ticket asking about this. They can refer this to LM’s Monitoring Engineering team, who will then put it in their pipeline to decide if/how/when they are going to cover this. 

    If that’s too slow for you, or you don’t like their answer, the LM envision platform is quite customizable, so you have plenty of options. Because you’ve stated that you want a list of the certs and you want them to be regularly evaluated for validity and lifespan, what you need is a multi-instance datasource with active discovery. The first portion of it will be discovery, which will be how an instance list is built. This will be a certifcate’s name and identifying information. The second part will be a method of regularly polling the CA servers about the various instances and evaluating what you want evaluated. It’s possible that other LogicModules would be helpful, but this should get you most of the way there.

    To actually do this you’ll need to figure out how the CA Servers expose this information. This usually takes a little research. Because you are not an enthusiastic scripter, I would start with something more simple. Probably the easiest thing would be if your windows server exposed information about its certificate store as a WMI class. A quick search through Microsoft’s online documentation shows me this class, which at least sounds promising.
     https://learn.microsoft.com/en-us/mem/configmgr/develop/reference/osd/sms_certificate-server-wmi-class 
    If this class provides a list and key information about the certificates you’re interested in, then a Datasource with both WMI Active discovery with the proper filtering and WMI Data Collection would probably be able to do it. A classic example where you can see this working is the WinVolumeUsage- datasource, available on every account. One thing not demonstrated by this is the date handling and math, which would most likely be done using a complex datapoint with thresholds and and appropriate alert message. The remainder of your solution would be alert rules and escalation chains designed to get the alert notifications to the right people. Both of those are granular and flexible enough to allow for different instances (certificates) to have different sets of recipients. 
    If the WMI class doesn’t give you what you want, you can always script it. It’s possible to use groovy or the “upload script” collection method to run an external program, but note that the program will be run on the collector and not the CA, unless they are the same machine. On the other hand, many DataSources use Powershell to access Windows entities. There’s an example “Microsoft_Windows_Cluster_ResourceGroups” which includes both discovery and data collection. This article https://learn.microsoft.com/en-us/archive/blogs/scotts-it-blog/working-with-certificates-in-powershell might be helpful, but the scripts would need to remote-exec to the CA machine from the collector and output the data in the proper formats for interpretation.